Get Your Quote. Instantly.

Pentest Findings: Bypassing Freemium with client-side security controls

Emphasising a critical cybersecurity practice: Avoid relying only on client-side measures for key security functions, and explore stronger alternatives.
  • Content & Communications Manager

What Happened?

Adam discovered that server-side security controls were not enabled in our customer’s target application, allowing him to access features intended for paying customers.

Some Background

We often find that some of our clients are relying on client-side security controls to enforce key security features.

Unfortunately for them, it’s often overlooked that the end users can fully manipulate client-side controls and, therefore, easily bypass them.

Combining this with inadequate access control checks when calling backend API functions, a user with only a Freemium subscription to the application could access additional features which were reserved for paying customers.

The Finding

While logged in as a Freemium user, during the webapp test Adam accessed the user’s account page and attempted to access a paid-for feature. A ‘paywall modal’ was displayed, seemingly preventing Adam from accessing these perks.

Crucially, though, Adam was easily able to determine that this paywall modal was actually only a client-side ‘security’ measure. Client-side measures are executed and, therefore, validated by the client themselves, so the user would have complete control over the paywall modal. They could easily bypass the standard procedure of validating the user’s subscription level via a server.

After disabling the paywall modal, Adam attempted to execute one of the underlying paid-for functions provided via the supporting API backend. It was found that there were no ‘backed’ server-side access control checks, and therefore, it was possible to make a request which should not have been possible for a Freemium user.

In fact, there were no server-side controls on any of the upgrade features, meaning that any user could access every restricted feature – whether they’d paid or not!

The Fix

The ‘Golden Rule’ of application security: Never rely on client-side controls to enforce core security functions!

These can be trivially bypassed, so always make sure suitable access control checks are applied to all application functions. This way, you know for sure that the users making these requests have appropriate permissions (and are paying!) to do so.

Bedtime Reading

Why not get a quote or contact us to set up a pentest online.

Related Articles